Item sharing based on information boundary and access control list settings

ABSTRACT

An item is shared based on an information boundary and access control settings. An application such as a document management application detects a selection of an information boundary to manage a sharing action associated with the item. The information boundary includes rules to define how the item is shared. A selection of an access control list is also detected to manage recipients who have an access to the item. The access control list allows a recipient in the list an ability to search and discover the item. In response to a detection of the sharing action to share the item, the information boundary and the access control list is applied to the item. The item is then shared based on the information boundary and the access control list through a link of the item transmitted to a recipient.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application is a Continuation of, and claims priority to U.S.patent application Ser. No. 15/196,239, filed Jun. 29, 2016, entitled“ITEM SHARING BASED ON INFORMATION BOUNDARY AND ACCESS CONTROL LISTSETTINGS,” which is a Continuation of, and claims priority to U.S.patent application Ser. No. 14/697,540, filed Apr. 27, 2015, entitled“ITEM SHARING BASED ON INFORMATION BOUNDARY AND ACCESS CONTROL LISTSETTINGS,” which application is incorporated herein by reference in itsentirety.

BACKGROUND

When working with files stored in file management solutions (like clouddrives), a file owner may share a link to one of his or her files withsomebody else to allow them to open that file. The recipients of thelink may want to forward the link to others further sharing the file.For some files that are shared, the document owner may trust the peoplehe or she shares with to share content only with people who need accessto that information. Therefore, to allow for friction-free collaborationwithin a working group, the document owner may want to allow anysecond-order recipients access the file through the shared link. Thedocument may be accessed through the shared link without having toapprove every new person accessing the file, or having to specify inadvance individuals who should be granted access.

However, in an organizational environment, friction-free collaborationmay need be balanced with information security requirements of theorganization. File owners may want/need to specify boundaries thatdefine how far a piece of content might be re-shared.

SUMMARY

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This summary is not intended to exclusively identify keyfeatures or essential features of the claimed subject matter, nor is itintended as an aid in determining the scope of the claimed subjectmatter.

Embodiments are directed to sharing an item based on informationboundary and access control list settings. An application such as anitem management application may detect a selection of an informationboundary. The information boundary may be used to manage a sharingaction associated with an item. The item may include a document, anaudio file, a video file, or presentation, among others. A selection ofan access control list may also be detected. The access control list maybe used to manage recipients who have an access to the item.

A sharing action to share the item may be detected. The sharing actionmay include a transmission of a link of the item to a recipient.Furthermore, the information boundary and the access control list may beapplied to the item. The information boundary may include rules to grantaccess to the item that may be applied to the item. The recipient may beadded to the access control list associated with the item to allow therecipient to search and discover the item. The item may be shared basedon the information boundary and the access control list.

These and other features and advantages will be apparent from a readingof the following detailed description and a review of the associateddrawings. It is to be understood that both the foregoing generaldescription and the following detailed description are explanatory anddo not restrict aspects as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 includes an example network environment where item sharing basedon information boundary and access control list settings may beimplemented;

FIG. 2 illustrates conceptually sharing of items based on informationboundary settings;

FIG. 3 illustrates an example user experience to allow a sharer to sharean item with the option of defining information boundary and/or accesscontrol settings;

FIG. 4 illustrates another example user experience to allow a sharer tosee and define information boundary and/or access control settings for ashared item;

FIG. 5 illustrates a further example user experience to allow a sharerto view access attributes for groups within an organization (informationboundaries);

FIG. 6 is a simplified networked environment, where a system accordingto embodiments may be implemented;

FIG. 7 is a block diagram of an example computing device, which may beused to implement item sharing based on information boundary and accesscontrol list settings; and

FIG. 8 illustrates a logic flow diagram of a method to enable itemsharing based on information boundary and access control list settings,according to embodiments.

GLOSSARY

Item—any form of structured data and streaming data that includesdocuments, files, and folders. Files may contain textual, graphical,audio, video, and similar data.

Sharer—a user sharing an item with one or more other users based oninformation boundary and access control parameters or rules.

Item Management Application—an application that enables management ofitems such as saving, opening, editing, sharing. An example itemmanagement application may be a document management application, butapplications that allow editing and creation of content such as wordprocessing applications or spreadsheet applications may also beempowered with item management capabilities such as sharing of documentsfrom within a presentation application user experience.

Collaborative Service—a set of coordinated applications and associatedcloud storage hosted by a plurality of servers providing access to thefunctionality of the applications and collaboration opportunitiesthrough web browser or locally installed client application userexperiences to a plurality of users. The collaborative service mayprovide its services to “clients” or “tenants”, who in turn may allowusers or subscribers to access the provided services. An item managementapplication may be part of a collaborative service or work inconjunction with a collaborative service.

Cloud storage—one or more data stores accessible through networks.

Permission level—a security setting that enables a user to controlaccess to the shared items within a data storage.

Computing device—a device comprising at least a memory and a processorthat includes a desktop computer, a laptop computer, a tablet computer,a smart phone, a vehicle mount computer, or a wearable computer.

Memory—a removable or non-removable component of a computing deviceconfigured to store one or more instructions to be executed by one ormore processors.

A processor—a component of a computing device coupled to a memory andconfigured to execute programs in conjunction with instructions storedby the memory.

File—any form of structured data that is associated with audio, video,graphics, images, and text.

Third party service—an independent service separate from a system usedby the initiating user and the target user, another service, or anapplication.

Operating system—a system configured to manage hardware and softwarecomponents of a computing device that provides common services andapplications.

Integrated module—a component of an application or service that isintegrated within the application or service such that the applicationor service is configured to execute the component.

Application—a program that when executed enables a user to communicate,create, edit, and share items.

Computer-readable memory device—a physical computer-readable storagemedium implemented via one or more of a volatile computer memory, anon-volatile memory, a hard drive, a flash drive, a floppy disk, or acompact disk, and comparable hardware media that includes instructionsthereon to automatically save content to a location.

User experience—a visual display associated with an application orservice through which a user interacts with the application or service.

User action—an interaction between a user and a user experience of anapplication or a user experience provided by a service that includes oneof touch input, gesture input, voice command, eye tracking, gyroscopicinput, pen input, mouse input, and keyboards input.

Application programming interface (API)—a set of routines, protocols,and tools for an application or service that enable the application orservice to interact or communicate with one or more other applicationsand services managed by separate entities.

Information boundary—a set of rules to govern how an item may be sharedwith other users within one or more organizational entities. Exampleaccess rules may pertain to search, discovery, read access, writeaccess, execute access, and similar actions.

Access Control List—a list of rules governing who can have what type ofaccess to an item within one or more organizational entities. AccessControl Lists may be defined/modified by administrators or users andrelate to level of access to shared items by users of differentattributes.

DETAILED DESCRIPTION

As briefly described above, an item such as a document, a video file, anaudio file, and a presentation, among others may be shared based oninformation boundary and access control list settings. A selection of aninformation boundary may be detected to manage a sharing actionassociated with the item. A selection of an access control list may alsobe detected to manage recipients who have an access to the item. Inresponse to a detection of the sharing action to share the item, theinformation boundary and the access control list may be applied to theitem. The item may be shared based on the information boundary and theaccess control list.

In the following detailed description, references are made to theaccompanying drawings that form a part hereof, and in which are shown byway of illustrations, specific embodiments, or examples. These aspectsmay be combined, other aspects may be utilized, and structural changesmay be made without departing from the spirit or scope of the presentdisclosure. The following detailed description is therefore not to betaken in a limiting sense, and the scope of the present invention isdefined by the appended claims and their equivalents.

While some embodiments will be described in the general context ofprogram modules that execute in conjunction with an application programthat runs on an operating system on a personal computer, those skilledin the art will recognize that aspects may also be implemented incombination with other program modules.

Generally, program modules include routines, programs, components, datastructures, and other types of structures that perform particular tasksor implement particular abstract data types. Moreover, those skilled inthe art will appreciate that embodiments may be practiced with othercomputer system configurations, including hand-held devices,multiprocessor systems, microprocessor-based or programmable consumerelectronics, minicomputers, mainframe computers, and comparablecomputing devices. Embodiments may also be practiced in distributedcomputing environments where tasks are performed by remote processingdevices that are linked through a communications network. In adistributed computing environment, program modules may be located inboth local and remote memory storage devices.

Some embodiments may be implemented as a computer-implemented process(method), a computing system, or as an article of manufacture, such as acomputer program product or computer readable media. The computerprogram product may be a computer storage medium readable by a computersystem and encoding a computer program that comprises instructions forcausing a computer or computing system to perform example process(es).The computer-readable storage medium is a computer-readable memorydevice. The computer-readable storage medium can for example beimplemented via one or more of a volatile computer memory, anon-volatile memory, a hard drive, a flash drive, a floppy disk, or acompact disk, and comparable hardware media.

Throughout this specification, the term “platform” may be a combinationof software and hardware components to share an item based oninformation boundary and access control list settings. Examples ofplatforms include, but are not limited to, a hosted service executedover a plurality of servers, an application executed on a singlecomputing device, and comparable systems. The term “server” generallyrefers to a computing device executing one or more software programstypically in a networked environment. However, a server may also beimplemented as a virtual server (software programs) executed on one ormore computing devices viewed as a server on the network. More detail onthese technologies and example operations is provided below.

FIG. 1 includes an example network environment where item sharing basedon information boundary and access control list settings may beimplemented. As shown in diagram 100, a sharer 102 may transmit a linkfor sharing an item 106 through a computing device 104. The computingdevice 104 may include a mobile device such as a smart phone, and anotebook computer, among others.

The item to be shared may be managed through settings that include anaccess control list 108 and an information boundary 110. The accesscontrol list 108 may include a list of recipients who have an access tothe item. The access control list 108 may be updated through apermission control system that manages users and permissions within anorganization. An administrator may be allowed to add or removerecipients from a recipient data store from which the access controllist 108 may be generated. The sharer 102 may be allowed to selectrecipients from the recipient data store to generate the access controllist 108 to generate the access control list 108. A recipient 112 who isin the access control list 108 may be allowed to search and discover theitem to be shared.

The information boundary 110 may include a set of rules to govern howthe item may be shared. In an example scenario access rules such as aread access rule, a write access rule, and an execute access rule, amongother rules may be defined in the information boundary 110. A group ofrecipients may also be identified in the information boundary 110. Inanother example scenario, the sharer 102 may identify in the informationboundary 110 an accounting group as an entity within an organizationthat is allowed to share the item.

The item may be accessed through a storage service 124 through a network120. The storage service 124 may store the item in a data store 126. Theitem may include a document, a video file, an audio file, an image, agraphic, an animation, an email, a message, a meeting note, a datastore, and a presentation, among others. The storage service 124 may beprovided through a remote network or a local network in relation to thecomputing device 104.

The sharer 102 may initiate a sharing action to transmit the link forsharing item 106 to a computing device 122 of the recipient 112 to sharethe item. The computing device 122 may be a mobile device such as asmart phone or a notebook computer, among others. A received link 116may be used by the recipient 112 to access the item. Search & discovery114 access to the item may be determined by the access control list. Ifthe recipient is in the access control list, the item may be searchableand discoverable by the recipient. Open/edit 118 access to the item maybe determined by the information boundary 110. The information boundary110 may include rules to define the access privileges granted to therecipient 112.

FIG. 2 illustrates conceptually sharing of items based on informationboundary settings. As shown in a diagram 200, an application such as anitem management application may manage sharing of an item 207. Anexample of an item management application may include a documentmanagement application. The item 207 may be shared by a sharer 202through a link 208 that is transmitted to recipients 206. The sharer mayselect information boundary rules 210 to manage the sharing of the item207. The information boundary rules may be defined by an administrator204.

The information boundary rules 210 as selected by the sharer 202 maydefine the information boundary of sharing the item 207. In an examplescenario, the sharer 202 may select access rules such as read access,write access, and an execute access, among others to define theinformation boundary of the item 207. The sharer 202 may select a readaccess rule as one of the information boundary rules to allow therecipients 206 to read the item 207 while preventing the recipients 206to edit or delete the item 207. Alternatively, the sharer 202 may selecta write access rule as one of the information boundary rules 210 toallow the recipients to edit the item 207. In another example scenario,the sharer 202 may select information boundary rules 210 to limit numberof subsequent shares that one of the recipients 206 may attempt withanother set of recipients. In yet another example scenario, the sharer202 may select information boundary rules 210 that identify a group suchas accounting, engineering, design, among others within an organizationas the recipients 206 who are granted access to the item 207.

An access control list may identify the recipients who are grantedsearch and discovery access to the item 207. However, the sharer mayshare the item with recipients 206 who are not in the access controllist. In such a scenario, if the recipient receives the link 208 andattempts to search or discover the item 207, the recipient may be unableto locate the item 207 because the item 207 may be in an invisible stateto the recipients 206. To make the item 207 searchable and discoverablethe recipients 206 (who are not in the access control list) may accessthe item 207 through the link 208. In response to the recipients 206attempt to access the item 207, the item management application may addthe recipients 206 into the access control list and make the item 207searchable and discoverable to the recipients 206. As such, the accesscontrol list may define a recipient's ability to search and discover theitem 207. If the recipient is in the access control list, the recipientmay be allowed to search and discover the item 207. However, if therecipient is not in the access control list but is allowed to access thedocument through the information boundary as set by the sharer 202, therecipient may be added to the access control list in response to anattempt to access the item 207. The attempt to access the item 207 mayinclude activation of the link 208, among other schemes.

The administrator 204 may be provided with a user interface to createand manage a recipient data store to allow the sharer 202 to create theaccess control list. The administrator 204 may add or delete recipients206 to the recipient data store. The sharer 202 may define therecipients 206 by generating the access control list that includes therecipients 206. Alternatively, the sharer 202 may select an accesscontrol list that is generated by the administrator or a user managementsystem from a set of access control lists. Examples includeorganizational access lists such as users in a building, users in agroup, users in a room, and users in a role, among others.

The administrator 204 may also be provided with a user interface tocreate and manage the information boundary rules 210. The sharer 202 mayselect a set of rules from the information boundary rules 210 to definethe information boundary. The sharer 202 may also be granted privilegesto modify the information boundary rules 210 or create new rules. Thesharer 202 may configure settings of a selected subset of theinformation boundary rules 210. In an example scenario, the sharer 202may select a group within an organization such as an accounting group.The sharer 202 may grant the group with a read access to share the item207 to define the information boundary associated with the item 207. Therecipients 206 within the accounting group may share the item 207 withread access amongst each other without further action from the sharer202. The administrator 204 may also be allowed to generate and modifydefault information boundary rules. The default information boundaryrules may include strict rules to prevent unauthorized dissemination ofinformation. Examples may include a rule to limit access to an item torecipients within an organization and a rule to provide read only accessto the item. Moreover, different users in an organization may be givendefault information boundaries. For example, people in the Finance groupmight have the default information boundary of “Anyone in Finance canopen the files I create.” People who work in particularly sensitiveareas—e.g. Legal—may be assigned the most restrictive informationboundary, which may be “Only people I add to the access control listmanually can see my files.”

FIG. 3 illustrates an example user experience to allow a sharer to sharean item with the option of defining information boundary and/or accesscontrol settings. As illustrated in a diagram 300, a computing device302 may display an example user interface of an item managementapplication. The computing device 302 may include a smart phone, amongothers. The user interface of the item management application mayinclude a client interface for the item management application thatexecutes in a remote computing device, or a local user interface for theitem management application that executes locally, among others.

The user interface of the item management application may display itemssuch as an email 304, a document 306, and a meeting note 308, amongothers. The user interface may also display a sharing status of theitems. In an example scenario, the email 304 may be displayed with ashare status and a last edit status. The document 306 may be displayedwith a share status and a present editing status that includes therecipient who is editing the document 306. The meeting notes 308 may bedisplayed with a share status and a last edit status. The last editstatus may include a timestamp of the last edit.

A share user interface component 310 may provide the sharer withcontrols to share the items 312 such as the email 304, the document 306,and the meeting note 308, among others. The sharer may be able to copythe items 312 into the share user interface component 310 to initiate ashare process. An example of a copy operation includes a drag and dropaction. The sharer may also be allowed to select information boundaryrules from a rule user interface component 314. In an example scenariothe sharer may be allowed to select an access rule such as grant editprivileges and an organizational rule such as an organization accountrequirement from the list of rules. The list of rules associated withthe information boundary may be defined by an administrator of therules. The administrator may also grant edit and create privileges toallow the sharer to edit existing rules and create new rules. The sharermay be allowed to configure the information boundary and an accesscontrol list associated with the item by selecting an activation control316.

FIG. 4 illustrates another example user experience to allow a sharer tosee and define information boundary and/or access control settings for ashared item. As illustrated in diagram 400, a computing device 402 mayprovide a sharing user interface 404 of an item management application.The sharing user interface 404 may allow the sharer to configure rulesassociated with the information boundary of an item to be shared. A linksharing control 406 may allow the sharer to share the item. The sharermay transmit the link to a recipient who may be allowed to access theitem. An activation of the organization account required control 408 mayprocess a rule that determines whether the recipient has an organizationaccount such as an email address that is associated with theorganization. In response to a detection of the organization account,the recipient may be allowed to share the item. An access control 410may set an access privilege of the recipient. The recipient may beallowed to read, edit, execute, and perform other actions associatedwith the item.

The sharer may also be allowed to specify an access control list 414through a shared user interface component of the sharing user interface404. The sharer may be allowed to add recipients to share the itemthrough an add recipient control 412. Recipients may be added, modified,or deleted from the access control list to define who has access to theitem. An access status of each recipient may also be displayed to remindthe user of the shared privileges with the recipients. The recipientsmay be provided by an administrator through an recipient data store. Therecipients in the access control list 414 may be allowed to search anddiscover the item.

FIG. 5 illustrates a further example user experience to allow a sharerto view access attributes for groups within an organization (informationboundaries). As illustrated in diagram 500, a user interface of an itemmanagement application may be provided to the sharer to allow the sharerto select rules associated with the information boundary. In an examplescenario, information boundary rules available to the sharer may bedisplayed by the user interface. The information boundary rules may varyin restrictions applied to sharing the item. The rules may be listed ina sorted format such as a most restrictive rule to a least restrictiverule or least restrictive rule to a most restrictive rule, among others.

In an example scenario, a no sign in required rule 502 may be displayedto allow the sharer to select the rule as the information boundary. Theno sign in required rule 502 may restrict sharing of the item torecipients with whom the sharer transmits the link to the item. Othersmay not be allowed to search or discover the item. An account requiredrule 504 may restrict the sharing of the item to recipients who have anaccount as specified by the sharer. The account may be an email accountassociated with the recipient such as an email associated with a domainaddress of the organization. The organization account required rule 506may restrict sharing of the item to recipients who have an organizationaccount. The organization account may be in common with the sharer.Alternatively, the sharer may specify the organization account that maynot be in common with the sharer. The sharer may select a rule to definethe information boundary through a user action 508 such as a tap action,among others.

In another example scenario, an only people in group rule 510 mayrestrict sharing of the item to recipients within a group. The group maybe defined by an administrator within an access control list that thesharer may be allowed to select. Alternatively, the sharer may beallowed to create the group by generating an access control listassociated with the group. The recipients in the group may be allowed toshare the item with other recipients in the group based on an accessrule as set by the sharer. The only people I invite rule 512 mayrestrict sharing of the item to the recipients as specified by thesharer in an access control list. The recipients in the access controllist may not be allowed to share the item with other recipients outsidethe access control list. The just me rule 514 restricts the item to thesharer. The item may not be shared with recipients regardless of a linkto the item.

The examples in FIGS. 1 through 5 have been described using specificnetwork environments, systems, services, applications and processes toshare an item based on information boundary and access control listsettings. Embodiments to share an item based on information boundary andaccess control list settings are not limited to the specific networkenvironments, systems, services, applications, and processes accordingto these examples.

Sharing an item based on information boundary and access control listsettings, as described in the embodiments above, may eliminateadditional user selection steps, advantageously reducing processor loadand thus increasing a processing speed. Additionally, sharing an itembased on information boundary and access control list settings mayeliminate the inconvenience of multiple user authentication steps toreceive authentication to access an item in a secure environment.Furthermore, the information boundary and access control list mayenhance availability, along with allowing the sharer to set permissionlevels for each recipient and item.

FIG. 6 is an example networked environment, where embodiments may beimplemented. An item management application configured to share an itembased on information boundary and access control list settings may beimplemented via software executed over one or more servers 614 such as ahosted service. The platform may communicate with client applications onindividual computing devices such as a smart phone 613, a mobilecomputer 612, or desktop computer 611 (‘client devices’) throughnetwork(s) 610.

Client applications executed on any of the client devices 611-613 mayfacilitate communications via application(s) executed by servers 614, oron individual server 616. An item management application may detectselections of an information boundary to manage a sharing actionassociated with an item and an access control list to manage recipientswho have an access to the item. In response to a detection of thesharing action to share the item, the information boundary and theaccess control list may be applied to the item. The item may be sharedbased on the information boundary and the access control list. The itemmanagement application may store the item in data store(s) 619 directlyor through database server 618.

Network(s) 610 may comprise any topology of servers, clients, Internetservice providers, and communication media. A system according toembodiments may have a static or dynamic topology. Network(s) 610 mayinclude secure networks such as an enterprise network, an unsecurenetwork such as a wireless open network, or the Internet. Network(s) 610may also coordinate communication over other networks such as PublicSwitched Telephone Network (PSTN) or cellular networks. Furthermore,network(s) 610 may include short range wireless networks such asBluetooth or similar ones. Network(s) 610 provide communication betweenthe nodes described herein. By way of example, and not limitation,network(s) 610 may include wireless media such as acoustic, RF, infraredand other wireless media.

Many other configurations of computing devices, applications, datasources, and data distribution systems may be employed to share an itembased on information boundary and access control settings. Furthermore,the networked environments discussed in FIG. 6 are for illustrationpurposes only. Embodiments are not limited to the example applications,modules, or processes.

FIG. 7 and the associated discussion are intended to provide a brief,general description of a general purpose computing device, which may beused to implement item sharing based on information boundary and accesscontrol list settings.

For example, computing device 700 may be used as a server, desktopcomputer, portable computer, smart phone, special purpose computer, orsimilar device. In an example basic configuration 702, the computingdevice 700 may include one or more processors 704 and a system memory706. A memory bus 708 may be used for communicating between theprocessor 704 and the system memory 706. The basic configuration 702 isillustrated in FIG. 7 by those components within the inner dashed line.

Depending on the desired configuration, the processor 704 may be of anytype, including but not limited to a microprocessor (μP), amicrocontroller (μC), a digital signal processor (DSP), or anycombination thereof. The processor 704 may include one more levels ofcaching, such as a level cache memory 712, one or more processor cores714, and registers 716. The example processor cores 714 may (each)include an arithmetic logic unit (ALU), a floating point unit (FPU), adigital signal processing core (DSP Core), or any combination thereof.An example memory controller 718 may also be used with the processor704, or in some implementations the memory controller 718 may be aninternal part of the processor 704.

Depending on the desired configuration, the system memory 706 may be ofany type including but not limited to volatile memory (such as RAM),non-volatile memory (such as ROM, flash memory, etc.) or any combinationthereof. The system memory 706 may include an operating system 720, anitem management application 722, and program data 724. The managementapplication 722 may include a sharing module 725 to manage operationsassociated with sharing the item through a link the the item, an accesscontrol list (ACL) module 726 may manage operations to generate andmodify an access control list, and an information boundary engine maygenerate and modify an information boundary from rules that are selectedby a sharer, which may be integrated modules of the item managementapplication 722 or separate applications. The program data 724 mayinclude, among other data, an item 728 that may be shared through a linkof the item based on information boundary and access control listsettings, as described herein.

The computing device 700 may have additional features or functionality,and additional interfaces to facilitate communications between the basicconfiguration 702 and any desired devices and interfaces. For example, abus/interface controller 730 may be used to facilitate communicationsbetween the basic configuration 702 and one or more data storage devices732 via a storage interface bus 734. The data storage devices 732 may beone or more removable storage devices 736, one or more non-removablestorage devices 738, or a combination thereof. Examples of the removablestorage and the non-removable storage devices include magnetic diskdevices such as flexible disk drives and hard-disk drives (HDDs),optical disk drives such as compact disk (CD) drives or digitalversatile disk (DVD) drives, solid state drives (SSD), and tape drivesto name a few. Example computer storage media may include volatile andnonvolatile, removable and non-removable media implemented in any methodor technology for storage of information, such as computer readableinstructions, data structures, program modules, or other data.

The system memory 706, the removable storage devices 736 and thenon-removable storage devices 738 are examples of computer storagemedia. Computer storage media includes, but is not limited to, RAM, ROM,EEPROM, flash memory or other memory technology, CD-ROM, digitalversatile disks (DVDs), solid state drives, or other optical storage,magnetic cassettes, magnetic tape, magnetic disk storage or othermagnetic storage devices, or any other medium which may be used to storethe desired information and which may be accessed by the computingdevice 700. Any such computer storage media may be part of the computingdevice 700.

The computing device 700 may also include an interface bus 740 forfacilitating communication from various interface devices (for example,one or more output devices 742, one or more peripheral interfaces 744,and one or more communication devices 746) to the basic configuration702 via the bus/interface controller 730. Some of the example outputdevices 742 include a graphics processing unit 748 and an audioprocessing unit 750, which may be configured to communicate to variousexternal devices such as a display or speakers via one or more A/V ports752. One or more example peripheral interfaces 744 may include a serialinterface controller 754 or a parallel interface controller 756, whichmay be configured to communicate with external devices such as inputdevices (for example, keyboard, mouse, pen, voice input device, touchinput device, etc.) or other peripheral devices (for example, printer,scanner, etc.) via one or more I/O ports 758. An example communicationdevice 746 includes a network controller 760, which may be arranged tofacilitate communications with one or more other computing devices 762over a network communication link via one or more communication ports764. The one or more other computing devices 762 may include servers,computing devices, and comparable devices.

The network communication link may be one example of a communicationmedia. Communication media may typically be embodied by computerreadable instructions, data structures, program modules, or other datain a modulated data signal, such as a carrier wave or other transportmechanism, and may include any information delivery media. A “modulateddata signal” may be a signal that has one or more of its characteristicsset or changed in such a manner as to encode information in the signal.By way of example, and not limitation, communication media may includewired media such as a wired network or direct-wired connection, andwireless media such as acoustic, radio frequency (RF), microwave,infrared (IR) and other wireless media. The term computer readable mediaas used herein may include both storage media and communication media.

The computing device 700 may be implemented as a part of a generalpurpose or specialized server, mainframe, or similar computer thatincludes any of the above functions. The computing device 700 may alsobe implemented as a personal computer including both laptop computer andnon-laptop computer configurations.

Example embodiments may also include methods to share an item based oninformation boundary and access control list settings. These methods canbe implemented in any number of ways, including the structures describedherein. One such way may be by machine operations, of devices of thetype described in the present disclosure. Another optional way may befor one or more of the individual operations of the methods to beperformed in conjunction with one or more human operators performingsome of the operations while other operations may be performed bymachines. These human operators need not be collocated with each other,but each can be only with a machine that performs a portion of theprogram. In other embodiments, the human interaction can be automatedsuch as by pre-selected criteria that may be machine automated.

FIG. 8 illustrates a logic flow diagram of a method to enable itemsharing based on information boundary and access control list settings,according to embodiments. Process 800 may be implemented on a computingdevice such as the computing device 700 or other system.

Process 800 begins with operation 810, where a selection of aninformation boundary may be detected to manage a sharing actionassociated with the item. The information boundary may include rulessuch as access rules to govern an access of a recipient to the item. Atoperation 820, a selection of an access control list may be detected tomanage recipients who have an access to the item. The access controllist may govern search and discovery availability of the item. Therecipients in the access control list associated with the item maysearch and discover the item. The recipients who are not in the in theaccess control list may not discover the item through a search.

A sharing action to share the item may be detected at operation 830. Thesharing action may include a command by the sharer to transmit a link ofthe item to a recipient. The recipient may or may not be in an accesscontrol list associated with the item. The information boundary and theaccess control list may be applied to the item at operation 840. Theitem may be shared based on the information boundary and the accesscontrol list at operation 850. The information boundary may providerules to determine how the item may be accessed by the recipient. Theaccess control list may allow the recipient to search and discover theitem.

The operations included in process 800 are for illustration purposes.Sharing an item based on information boundary and access controllistings may be implemented by similar processes with fewer oradditional steps, as well as in different order of operations using theprinciples described herein.

According to other examples, a means for employing context-basedinference to share an item based on information boundary and accesscontrol list settings is described. The means may include a means fordetecting a first selection of an information boundary to manage asharing action associated with the item, where the information boundaryincludes one or more access rules associated with the item; a means fordetecting a second selection of an access control list to managerecipients who have an access to the item; a means for detecting thesharing action to share the item; a means for applying the informationboundary and the access control list to the item; and a means forsharing the item based on the information boundary and the accesscontrol list.

According to some examples, a computing device configured to share anitem based on information boundary and access control list settings isdescribed. The computing device may include a memory configured to storeone or more instructions and a processor coupled to the memory andconfigured to execute an item management application. The itemmanagement application may be configured to detect a first selection ofan information boundary to manage a sharing action associated with theitem; detect a second selection of an access control list to managerecipients who have an access to the item; detect the sharing action toshare the item; apply the information boundary and the access controllist to the item; and share the item based on the information boundaryand the access control list.

According to other examples, the item management application may befurther configured to in response to a detection of a creation of theitem, assign default information boundaries to the item and provide auser interface to allow an administrator of the default informationboundaries to one or more of create and manage one or more rules of thedefault information boundaries. The item management application may alsobe configured to identify a new recipient in the sharing action; inresponse to a detection of the new recipient in the access control list,determine whether the new recipient is within the information boundaryof the item; and in response to a detection that the new recipient iswithin the information boundary of the item, grant the new recipient anaccess to the item.

According to further examples, the item management application may befurther configured to identify a new recipient in the sharing action; inresponse to a failure to detect the new recipient in the access controllist, determine whether the new recipient is within the informationboundary of the item; and in response to a detection that new recipientis within the information boundary of the item, grant the new recipientan access to the item and add the new recipient to the access controllist. The item management application may also be configured to allow asharer of the item to select the information boundary from a number ofinformation boundaries, where the number of information boundariesinclude one or more access rules associated with the item.

According to yet other examples, the item management application may befurther configured to allow the sharer to manage the one or more accessrules, where the one or more access rules include one or more of a readaccess rule, a write access rule, and an execute access rule. The itemmanagement application may also be configured to receive organizationalinstructions to store the recipients in groups; and add the groups tothe access control list. The item management application may be furtherconfigured to detect a third selection of a group to grant the group anaccess to the item, where the group includes a subset of the recipients;and add one or more rules to the information boundary to grant the groupthe access to the item. The item management application may be furtherconfigured to provide a user interface to allow an administrator of theinformation boundary to define the group and the access, wherein theaccess includes one or more of a read access, a write access, and anexecute access to the item or provide a user interface to allow a sharerof the item to edit the group and the access, wherein the accessincludes one or more of a read access, a write access, and an executeaccess to the item.

According to other examples, a method to employ context-based inferenceto share an item based on information boundary and access control listsettings is described. The method may include detecting a firstselection of an information boundary to manage a sharing actionassociated with the item, where the information boundary includes one ormore access rules associated with the item; detecting a second selectionof an access control list to manage recipients who have an access to theitem; detecting the sharing action to share the item; applying theinformation boundary and the access control list to the item; andsharing the item based on the information boundary and the accesscontrol list.

According to further examples, the method may also include transmittinga link to the item to a selected recipient of the recipients in responseto the sharing action; detecting an execution of a first search for theitem by the selected recipient; and maintaining an invisible status ofthe item to the first search. The method may further include detectingan access to the item through the link by the selected recipient; andadding the recipient to the access control list. The method may alsoinclude detecting an execution of a second search for the item by theselected recipient; and providing the item within a results list for thesecond search. The method may further include allowing an administratorof the information boundary to define a number of information boundariesto a sharer of the item for the first selection; and allowing theadministrator of the access control list to define the recipients to thesharer of the item for the second selection.

According to yet further examples, a computer-readable memory devicewith instructions stored thereon to share an item based on informationboundary and access control list settings is described. The instructionsmay include detecting a first selection of an information boundary tomanage a sharing action associated with the item, where the informationboundary includes one or more access rules associated with the item;detecting a second selection of an access control list to managerecipients who have an access to the item; detecting the sharing actionto share the item; applying the information boundary and the accesscontrol list to the item; and sharing the item based on the informationboundary and the access control list.

According to some examples, the instructions may further includetransmitting a link to the item to a selected recipient from therecipients in response to the sharing action; detecting an execution ofa first search for the item by the selected recipient; and maintainingan invisible status of the item to the first search. The instructionsmay also include providing a link to the item based on the sharingaction to a selected recipient of the recipients; detecting an access tothe item through the link by the selected recipient; adding therecipient to the access control list; detecting an execution of a secondsearch for the item by the selected recipient; and providing the itemwithin a results list for the second search.

The above specification, examples and data provide a completedescription of the manufacture and use of the composition of theembodiments. Although the subject matter has been described in languagespecific to structural features and/or methodological acts, it is to beunderstood that the subject matter defined in the appended claims is notnecessarily limited to the specific features or acts described above.Rather, the specific features and acts described above are disclosed asexample forms of implementing the claims and embodiments.

What is claimed is:
 1. A method comprising: maintaining an accesscontrol list, wherein the access control list provides searchable accessto a cloud-based item, stored in a searchable repository, for users thatare identified in the access control list; maintaining an informationboundary comprising a rule that provides a downstream recipient withlink access to the cloud-based item if the downstream recipient has anemail address with a specified domain and the downstream recipientreceives and opens a link to the cloud-based item; receiving, by thesearchable repository from the downstream recipient, a first querycorresponding to the cloud-based item; determining that the downstreamrecipient is not identified in the access control list; surfacing anindication that the recipient is not identified in the access controllist; receiving, from the downstream recipient, a request to access thecloud-based item via a link sent to the downstream recipient;determining that the downstream recipient has the email address with thespecified domain; adding, based on receiving the request to access thecloud-based item via the link and the determination that the downstreamrecipient has the email address with the specified domain, the identityof the downstream recipient to the access control list; receiving, bythe searchable repository from the downstream recipient, a second querycorresponding to the cloud-based item; determining that the downstreamrecipient is identified in the access control list; and granting thedownstream recipient with access to the cloud-based item.
 2. The methodof claim 1, wherein the link was forwarded to the downstream recipientfrom an initial downstream recipient that received the link from anoriginal link sharing user.
 3. The method of claim 1, wherein therequest to access the cloud-based item comprises a request to view thecloud-based item via an online collaborative service search.
 4. Themethod of claim 3, wherein granting the downstream recipient with accessto the cloud-based item comprises granting search access to thecloud-based item by the online collaborative service.
 5. The method ofclaim 3, wherein granting the downstream recipient with access to thecloud-based item comprises granting the downstream recipient with accessrights of a type comprising one or more of: read access to thecloud-based item, write access to the cloud-based item, and executeaccess to the cloud-based item.
 6. The method of claim 1, wherein theaccess control list comprises a plurality of user identities that haveaccess rights to the cloud-based item.
 7. The method of claim 1, whereinthe information boundary further comprises a rule that limits a numberof times that the link can be shared by downstream recipients of thelink.
 8. A system comprising: at least one processor; and a memoryoperatively connected with the at least one processor, wherein thememory stores computer-executable instructions that, when executed bythe at least one processor, causes the at least one processor to executea method that comprises: maintaining an access control list, wherein theaccess control list provides searchable access to a cloud-based item,stored in a searchable repository, for users that are identified in theaccess control list; maintaining an information boundary comprising arule that provides a downstream recipient with link access to thecloud-based item if the downstream recipient has an email addressassociated with a specified group in an organization and the downstreamrecipient receives and opens a link to the cloud-based item; receiving,by the searchable repository from the downstream recipient, a firstquery corresponding to the cloud-based item; determining that thedownstream recipient is not identified in the access control list;surfacing an indication that the recipient is not identified in theaccess control list receiving, from the downstream recipient, a requestto access the cloud-based item via a link sent to the downstreamrecipient; determining that the downstream recipient has an emailaddress associated with the specified group in the organization; adding,based on receiving the request to access the cloud-based item via thelink and the determination that the downstream recipient has the emailaddress associated with the specified group in the organization, theidentity of the downstream recipient to the access control list;receiving, by the searchable repository from the downstream recipient, asecond query corresponding to the cloud-based item; determining that thedownstream recipient is identified in the access control list; andgranting the downstream recipient with access to the cloud-based item.9. The system of claim 8, wherein the link was forwarded to thedownstream recipient from an initial downstream recipient that receivedthe link from an original link sharing user.
 10. The system of claim 8,wherein the request to access the cloud-based item comprises a requestto access the cloud-based item via an online collaborative servicesearch.
 11. The system of claim 10, wherein granting the downstreamrecipient with access to the cloud-based item comprises granting thedownstream recipient with search access to the cloud-based item by theonline collaborative service.
 12. The system of claim 8, whereingranting the downstream recipient with access to the cloud-based itemcomprises making the cloud-based item discoverable to the downstreamrecipient via an online collaborative service.
 13. The system of claim8, wherein the access control list comprises a plurality of useridentities that have access rights to the cloud-based item.
 14. Thesystem of claim 8, wherein the information boundary further comprises arule that limits a number of times that the link can be shared bydownstream recipients of the link.
 15. A computer-readable storage mediastoring computer-executable instructions that, when executed by at leastone processor, causes the at least one processor to execute a methodcomprising: maintaining an access control list, wherein the accesscontrol list provides searchable access to a cloud-based item, stored ina searchable repository, for users that are identified in the accesscontrol list; maintaining an information boundary comprising a rule thatprovides a downstream recipient with link access to the cloud-based itemif the downstream recipient has an email address with a specified domainand the downstream recipient receives and opens a link to thecloud-based item; receiving, by the searchable repository from thedownstream recipient, a first query corresponding to the cloud-baseditem; determining that the downstream recipient is not identified in theaccess control list; surfacing an indication that the recipient is notidentified in the access control list; receiving, from the downstreamrecipient, a request to access the cloud-based item via a link sent tothe downstream recipient; determining that the downstream recipient hasthe email address with the specified domain; adding, based on receivingthe request to access the cloud-based item via the link and thedetermination that the downstream recipient has the email address withthe specified domain, the identity of the downstream recipient to theaccess control list; receiving, by the searchable repository from thedownstream recipient, a second query corresponding to the cloud-baseditem; determining that the downstream recipient is identified in theaccess control list; and granting the downstream recipient with accessto the cloud-based item.
 16. The computer-readable storage media ofclaim 15, wherein the link was forwarded to the downstream recipientfrom an initial downstream recipient that received the link from anoriginal ink sharing user.
 17. The computer-readable storage media ofclaim 15, wherein the request to access the cloud-based item comprises arequest to access the cloud-based item via an online collaborativeservice search.
 18. The computer-readable storage media of claim 17,wherein granting the downstream recipient with access to the cloud-baseditem comprises granting the downstream recipient with search access tothe cloud-based item by the online collaborative service.
 19. Thecomputer-readable storage media of claim 15, wherein granting thedownstream recipient with access to the cloud-based item comprisesmaking the cloud-based item discoverable to the downstream recipient viaan online collaborative service.
 20. The computer-readable storage mediaof claim 15, wherein the information boundary further comprises a rulethat limits a number of times that the link can be shared by downstreamrecipients of the link.